CWE-11: ASP.NET Misconfiguration: Creating Debug Binary
Debugging messages help attackers learn about the system and plan a form of attack.
Last updated
Overview
ASP .NET applications can be configured to produce debug binaries. These binaries give detailed debugging messages and should not be used in production environments. Debug binaries are meant to be used in a development or testing environment and can pose a security risk if they are deployed to production.
Background
The debug attribute of the tag defines whether compiled binaries should include debugging information. The use of debug binaries causes an application to provide as much information about itself as possible to the user.
Real-world CVEs
2 recorded CVEs are caused by CWE-11 (ASP.NET Misconfiguration: Creating Debug Binary). The highest-severity and most recent are shown first.
Common consequences
What can happen when CWE-11 is exploited.
Read Application Data
Affects: Confidentiality
Attackers can leverage the additional information they gain from debugging output to mount attacks targeted on the framework, database, or other resources used by the application.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Languages
How to prevent it
Practical mitigations for CWE-11, grouped by where in the lifecycle they apply.
Avoid releasing debug binaries into the production environment. Change the debug mode to false when the application is deployed into production.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
The file web.config contains the debug mode setting. Setting debug to "true" will let the browser display debugging information.
Vulnerable example
<?xml version="1.0" encoding="utf-8" ?>Change the debug mode to false when the application is deployed into production.
Terminology & mappings
Mapped taxonomies
- 7 Pernicious Kingdoms: ASP.NET Misconfiguration: Creating Debug Binary
Frequently asked questions
Common questions about CWE-11.
- What is CWE-11?
- Debugging messages help attackers learn about the system and plan a form of attack.
- What CVEs are caused by CWE-11?
- 2 recorded CVEs are attributed to CWE-11, including CVE-2024-48008, CVE-2021-35235.
- How do you prevent CWE-11?
- Avoid releasing debug binaries into the production environment. Change the debug mode to false when the application is deployed into production.
- How is CWE-11 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-11?
- Exploiting CWE-11 can lead to: Read Application Data.
- Is CWE-11 actively exploited?
- 2 recorded CVEs are caused by CWE-11; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-11) (opens in a new tab)
- CWE-11 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-11
Get alerted the moment a new CWE-11 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.